git: c98bf2a45e05 - main - sctp: Always check for a vanishing inpcb when processing COOKIE-ECHO
Mark Johnston
markj at FreeBSD.org
Wed Sep 1 14:28:47 UTC 2021
The branch main has been updated by markj:
URL: https://cgit.FreeBSD.org/src/commit/?id=c98bf2a45e0527e7c1958f0a311cb2be072f1411
commit c98bf2a45e0527e7c1958f0a311cb2be072f1411
Author: Mark Johnston <markj at FreeBSD.org>
AuthorDate: 2021-09-01 14:28:17 +0000
Commit: Mark Johnston <markj at FreeBSD.org>
CommitDate: 2021-09-01 14:28:17 +0000
sctp: Always check for a vanishing inpcb when processing COOKIE-ECHO
We previously did this only in the normal case where no association
exists yet. However, it is not safe to process COOKIE-ECHO even if an
association exists, as sctp_process_cookie_existing() may dereference
the socket pointer.
See also commit 0c7dc84076b64ef74c24f04400d572f75ef61bb4.
Reviewed by: tuexen
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D31755
---
sys/netinet/sctp_input.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/sys/netinet/sctp_input.c b/sys/netinet/sctp_input.c
index f579d10333fb..61455e47dd71 100644
--- a/sys/netinet/sctp_input.c
+++ b/sys/netinet/sctp_input.c
@@ -4895,6 +4895,11 @@ process_control_chunks:
struct sctp_inpcb *linp;
struct sctp_tmit_chunk *chk;
+ if (inp->sctp_flags & (SCTP_PCB_FLAGS_SOCKET_GONE |
+ SCTP_PCB_FLAGS_SOCKET_ALLGONE)) {
+ goto abend;
+ }
+
if (stcb) {
linp = NULL;
} else {
@@ -4903,11 +4908,6 @@ process_control_chunks:
if (linp != NULL) {
SCTP_ASOC_CREATE_LOCK(linp);
- if ((inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) ||
- (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_ALLGONE)) {
- SCTP_ASOC_CREATE_UNLOCK(linp);
- goto abend;
- }
}
if (netp != NULL) {
More information about the dev-commits-src-all
mailing list